diff --git a/www/howto/handle-security-issues.spt b/www/howto/handle-security-issues.spt
index ac4a7f3..377f251 100644
--- a/www/howto/handle-security-issues.spt
+++ b/www/howto/handle-security-issues.spt
@@ -6,13 +6,25 @@ nav_title = 'Handle Security Issues'
 [HackerOne page](https://hackerone.com/gratipay). This document is for
 internal Gratipay staff.*
 
-We manage our entire security queue in HackerOne. We support email as a 
-fall-back. When we receive disclosures on security@gratipay.com, [file a 
-report](https://hackerone.com/gratipay/reports/new) at HackerOne and manage the
-issue there. If the researcher doesn't want to join HackerOne, add them to 
-the [old Hall of Fame](https://gratipay.com/about/security/hall-of-fame) instead.
+We [use HackerOne](https://hackerone.com/gratipay) to manage our security
+[queue](./manage-queues). HackerOne assigns five reputation points for
+reporting a bug, and two for reporting a duplicate. Therefore, if you need to
+reticket anything from a HackerOne bug, be sure to have the original researcher
+make the reticket so that they get the credit. Publicly disclose all resolved
+HackerOne tickets.
 
-If the issue requires code changes, create a private repo in GitHub, using the 
+We support email as a fall-back reporting mechanism. When we receive
+disclosures on security@gratipay.com, ask the researcher to [file a
+report](https://hackerone.com/gratipay/reports/new) at HackerOne instead. If
+they are unresponsive or don't want to use HackerOne, then file the issue
+yourself so we can manage the issue there (you'll get the reputation points in
+this case). If the researcher doesn't join HackerOne, offer to add them to the
+[old Hall of Fame](https://gratipay.com/about/security/hall-of-fame) instead.
+
+
+## Code Changes
+
+If an issue requires code changes, create a private repo in GitHub, using the
 naming convention `security-deadbeef`, then do this:
 
 ```
@@ -24,7 +36,7 @@ git push $repo master:upstream
 git push -u $repo $branch:$branch
 ```
 
-And here's how to deploy them before merging back to upstream:
+Here's how to deploy code changes before merging back to upstream:
 
 ```
 git checkout master && git pull